extra disciplinary course ( edc) e-banking …cmscbe.com/edc_all/ebanking.pdf · extra disciplinary...
TRANSCRIPT
SCHOOL OF COMMERCE
B.COM CA
EXTRA DISCIPLINARY COURSE ( EDC)(For the students admitted during the academic year 2014 Only)
E-BANKINGSyllabus
Ext:40 MarksInt :10 Marks
UNIT –I
Electronic Banking: Traditional Banking Vs E-Banking - E-Banking transactions -
Models for E-banking - Constraints in E-Banking-Core Banking
UNIT –II
Online Banking: Introduction – concept and meaning - The Electronic delivery channels-
Need for computerization - Automatic Teller Machine (ATM) – Electronic Fund
Transfer(EFT) —Tele banking –Electronic Money Transfer .
UNIT –III
Updatating Bank saving accounts – E-Cheque - Magnetic Ink Character Recognition
(MICR) - E-Banking in India - How to go on net for Online Banking.
UNIT –IV
E-Banking Security: Introduction - need for security - Cyber crimes - Reasons for
Privacy – Tampering - Encryption - Data Encryption Standard (DES).
UNIT –V
Electronic payment system - Types - Digital Signature certificate & Electronic
Signature - E-locking – RTGS-NEFT.
TEXT BOOK :
1.C.S. Rayudu, E-Business, Himalaya Publishing House.
REFERENCE BOOKS
1. Roger Hunt& John Shelly, Computers and Commonsense.
2. Bhushan Dewan, E-Commerce.
Unit-IDEFINITION OF E-BANKING
Electronic banking, also known as electronic funds transfer (EFT), is simply the use of
electronic means to transfer funds directly from one account to another, rather than by
cheque or cash.
We can use electronic funds transfer to: ·
Have your paycheck deposited directly into your bank or credit union checking
account. ·
Withdraw money from your checking account from an ATM machine with a
personal identification number (PIN), at your convenience, day or night. ·
Instruct your bank or credit union to automatically pay certain monthly bills from
your account, such as your auto loan or your mortgage payment. ·
Have the bank or credit union transfer funds each month from your checking
account to your mutual fund account. ·
Have your government social security benefits check or your tax refund
deposited directly into your checking account.
Buy groceries, gasoline and other purchases at the point-of sale, using a check
card rather than cash, credit or a personal check.
· Use a smart card with a prepaid amount of money embedded in it for use
instead of cash at a pay phone, expressway road toll, or on college campuses at
the library's photocopy machine or bookstores. ·
Use your computer and personal finance software to coordinate your total
personal financial management process, integrating data and activities related to
your income, spending, saving, investing, recordkeeping, bill-paying and taxes,
along with basic financial analysis and decision making.
Traditional banking and e-banking are two way for getting the benefits from bank. Both
have benefits and disadvantages. Customer can use both or any of these facilities. Here
we are showing the differences between traditional banking and e-banking
1. Basic Introduction
(a) Traditional Banking
In traditional banking system, a customer can open any bank account in banks, take the
facility of saving his money by depositing money in local bank. He can withdraw his
money through check, counter payment and through bank draft. He can meet the bank
manager and ask his problem. He can take the physical help for getting loan from bank.
(b) E-banking
E-banking means Internet banking or modern banking or online bill. In this method,
customer gets his bank account ID and password and he can check his account, pay his
bill and print his receipt through his home personal computer which is connected with
Internet. E-banking is development of today banking system. In other words, e-banking is
electronic banking whose facility, you can take through your regular broadband Internet
connect.
2. Benefits
(a) Traditional Banking
Traditional banking has totally improved from previous face. Few days ago, I went to
State bank of India for withdrawing my money where I saw many monitoring cameras.
My one friend is also doing duty in that bank. I asked question from my friend why have
these cameras been attached here? Are these on? My friend explained me that it is more
than Rs. 500,000 cost project per branch of SBI. We do not want to take risk of
customer's money. Customer's loss is our loss. We deduct fraud case by monitoring the
activities through this surveillance cameras. I feel happy because now traditional banking
has improved and there is minimum change of fraud.
(b) E-banking
(i) Convenient
I think e-banking is convenient because we can use e-banking for tracking my money in
bank without going to bank. I am already changing everything from traditional to online.
I am tracking my courier letter by opening the site of courier and writing the track no.
after this I can easily know when my letter will come from foreign country.
(ii) Protection of Environment
If we all start to use e-banking, we can also protect our environment. Suppose, you have
to withdraw Rs. 500,000 from HDFC bank and deposit it to SBI. What will you do? You
will start your vehicle and go to HDFC bank and withdraw the money and then go to SBI
for depositing this money. By using vehicle, you are increasing the pollution in the
environment. Today is 5th June 2010, the day of world environment. We can protect our
environment by using e-banking. Just within 5 minute, we can transfer our money from
HDFC bank to SBI bank through home e-banking facility. You can also use e-bill facility
of your Internet bill.
3. Disadvantages
(a) Traditional Banking
(i) Robbery
Open any day newspaper, you will see the new bank robbery case. This is the
disadvantages. Two and more thieves came and taken bank's money is general news. No
one can do same thing in e-banking.
(ii)Time limitation
Banks are opened from 9: 00 to 5:00 p.m. But, it may possible that we have to pay at
11:00 p.m. which can be done through e-banking not traditional banking.
(b)E-banking
Hacking, spyware program, computer virus and breaking online password are the
weakness of e-banking or online banking. Online big hackers are using computer virus
and after spreading it, they compromise your computer. After this, they know all detail of
your computer and banking password and illegally transfer all your money. Next day,
your bank account may be zero. Even you can stop this crime by writing strong password
but you can not remove it totally.
E-BANKING TRANSACTIONS
The introduction of new technologies has radically transformed banking transactions. In
the past, customers had to come physically into the bank branch to do banking
transactions including transfers, deposits and withdrawals. Banks had to employ several
tellers to physically make all those transactions. Automatic Teller Machines (ATMs)
were then introduced which allowed people to do their banking on their own, practically
anytime and anywhere. This helped the banks cut down on the number of tellers and
focus on managing money. The Internet then brought another venue with which
customers could do banking, reducing the need for ATMs. Online banking allowed
customers to do financial transactions from their PCs at home via Internet. Now, with the
emergence of Wireless Application Protocol (WAP) technology, banks can use the
infrastructure and applications developed for the Internet and move it to mobile phones.
Now people no longer have to be tied to a desktop PC to do their banking. The WAP
interface is much faster and convenient than the Internet, allowing customers to see
account details, transaction details, make bill payments, and even check credit card
balance.
The cost of the average payment transaction on the Internet is minimum. Several studies
found that the estimated transaction cost through mobile phone is16 cents, a fully
computerized bank using its own software is 26 cents, a telephone bank is 54 cents a
bank branch, $1.27, an ATM, 27 cents, and on the Internet it costs just 13 cents. As a
result, the use of the Internet for commercial transactions started to gain momentum in
1995. More than 2,000 banks in the world now have transactional websites and the
growth of online lending solutions is making them more cost efficient. Recent
developments are now encouraging banks to target small businesses as a separate lending
category online.
Banks are increasingly building payment infrastructure with various security
mechanisms (SSL, SET) because there is tremendous potential for profit, as more and
more payments will pass through the Internet. However, the challenge for banks is to
offer a payments back-bone system that will be open enough to support multiple payment
instruments (credit cards, debit cards, direct debit to accounts, e-checks, digital money
etc.) and scalable enough to allow for a stable service regardless of the workload.
The market for Electronic Bill Presentment and Payment (EBPP) is growing. According
to a study, 18 million households in the US are expected to pay their bills online by 2003
compared to 2 million households in 2001. As more number of bill payers are getting
online, several banks are making efforts to find ways to meet the growing needs of
EBPP. Established banks can emerge as key online integrators of customer bills and can
capitalize on this high potential market. Growing with the popularity of EBPP is also the
paying of multiple bills at a single site known as bill aggregation. Offering online bill
payment and aggregation will increase the Competitiveness and attractiveness of E-
banking services and will allow banks to generate service-fee income from the billers.
In the B2B segment, the customer value proposition for online bill payment is more
compelling. B2B e-commerce is expected to grow from $406 bn in 2000 to $2.7 tn by
2004, and more than half of all transactions will be routed through online B2B
marketplaces. There is a need for automated payment systems to reduce cost and human
error, and enhance cash-flow management. To meet this need, a group of banks and non-
financial institutions led by Citibank and Wells Fargo have formed a company called
Financial Settlements Matrix (FSMx). It provides business buyers and sellers with access
to secure payment processing, invoicing and other services that participating financial
services firms offer.
A B2B marketplace would provide minimum value to its customers if it just matches
buyers and sellers, leaving the financial aspects of transactions to be handled through
traditional non-Internet channels. Hence, the marketplace must be capable of providing
the payments processing, treasury management services, payables/receivables data
flows, and credit solutions to complete the full cycle of a commercial transaction on the
Internet. The web based B2B e-commerce offers tremendous opportunities for banks,
payment technology vendors and e-commerce companies to form strategic alliances. This
new form of collaboration between partners with complementary core competencies may
prove to be an effective business model for e-business.
Core Banking
A core banking system is the software used to support a bank’s most common
transactions.
Elements of core banking include:
Making and servicing loans.
Opening new accounts.
Processing cash deposits and withdrawals.
Processing payments and cheques.
Calculating interest.
Customer relationship management (CRM) activities.
Managing customer accounts.
Establishing criteria for minimum balances, interest rates, number of withdrawals
allowed and so on.
Establishing interest rates.
Maintaining records for all the bank’s transactions.
Core banking functions differ depending on the specific type of bank. Retail banking, for
example, is geared towards individual customers; wholesale banking is business
conducted between banks; and securities trading involves the buying and selling of
stocks, shares and so on. Core banking systems are often specialized for a particular type
of banking. Products that are designed to deal with multiple types of core banking
functions are sometimes referred to as universal banking systems.
Examples of core banking products include Infosys’ Finacle, Nucleus FinnOne and
Oracle's Flexcube application (from their acquisition of Indian IT vendor i-flex).
Unit-II
INTERNET BANKING
Internet Banking lets you handle many banking transactions via your personal computer.
For instance, you may use your computer to view your account balance, request transfers
between accounts, and pay bills electronically.
Internet banking system and method in which a personal computer is connected by a
network service provider directly to a host computer system of a bank such that customer
service requests can be processed automatically without need for
intervention by customer service representatives. The system is capable of distinguishing
between those customer service requests which are capable of automated fulfillment and
those requests which require handling by a customer service representative. The system
is integrated with the host computer system of the bank so that the remote banking
customer can access other automated services of the bank. The method of the invention
includes the steps of inputting a customer banking request from among a menu of
banking requests at a remote
personnel computer; transmitting the banking requests to a host computer over a network;
receiving the request at the host computer; identifying the type of customer banking
request received; automatic logging of the service request, comparing the received
request to a stored table of request types, each of the
request types having an attribute to indicate whether the request type is capable of being
fulfilled by a customer service representative or by an automated system; and, depending
upon the attribute, directing the request either to a queue for handling by a customer
service representative or to a queue for processing by an automated system.
COMPUTERISATION OF BANKS INDIA
In the Eighteenth and Nineteenth Centuries the Industrial revolution brought profound
changes in the life style of man. Many activities that were hitherto performed by man
employing his hands and his finger skill came to be carried at great speed and efficiency
by machines. Man continued to carry out only those
functions that needed his thinking process to be involved. The Industrial evolution on
account of mass production of goods and services brought large commercial and business
organizations, transcending national boundaries that employed several thousands of
persons for performing routine, repetitive clerical tasks, relating to record keeping,
maintaining accounts,attending/answering correspondence, preparing vouchers, invoices,
bills and multiple of such other functions. This created white-collar employment for
educated persons by leaps and bounds.
Clerical task is defined as a routine and repetitive performance involving, adding,
subtracting, multiplying, dividing numbers, and duplicating data/information from one
source to another. The tools employed are "a pen, ink and paper", the knowledge of
arithmetic tables, the basic knowledge of a language and minimum acquaintance with
rules & procedures of the organisation that are followed day in day out and relevant to the
job of the particular employee. Two plus two is four. It is always four. Should we need
an educated worker to compute this task again and again? A business needed human
agents to attend to production, marketing, finance etc. depicting high-level tasks. But
more and more people were employed for performing low level tasks.
However as time went on the internal chorus of record keeping multiplied geometrically
as commerce and industry grew in size and volume. The civil services of the Government
and service based organizations came in the fore-front to inherit this overload of white-
collar employment. To quote a concrete example a major nationalized bank in India,
which employed merely 3000 workers in the Fifties (around the time I entered its service
in 1957), came to engage over 70,000 employees towards the end of the century, i.e. year
1996-97,when I retired from service from that bank.
The Government of India and the States including government owned bodies employed
as many as 100 lakh junior employees at the clerical and subordinate level. Such
employees by virtue of heir strength of numbers organise themselves into powerful trade
unions, and aggressively utilise the bargaining power without reference to the input
benefit the organization is deriving from them and the productivity they are providing.
In this world of human beings necessity is the mother of inventions. After 15 years of
educational studies, an individual should not be employed for routine repetitive tasks.
This makes him dull and feel the work monotonous without job satisfaction. He turns
back and diverts his loyalty to an informal group i.e. the trade union. He feels happy once
in a month on pay day, but on other 36 days his work leaves him nothing to rejoice. There
are neither opportunities nor challenges to bring in his innovative or creative genius. As
years passes the clerical employment results in the individual losing efficiency and
productivity to progressively depict a trend of progress in reverse. The advent of
mechanical calculating devices and later electronic computing in the West heralded a new
age, that dispensed with this white collar and white-elephant employment progressively.
This evolved in the west three decades before, but the advent of
this evolution in India is only now taking place.
To quote again a concrete example- the statistics of two bankin institutions in India, the
largest and the next large in size can be fruitfully compared. These are the State Bank of
India, that was until recently employing 2.3 Lakh workers, for a turn over of Rs.36,000
Crores (Deposit 25000 + Advances 11000 Crores -
latest).
ICICI bank has at present less than 1000 branches and around 10000 employees. It has a
turnover of Rs.23000 Crores (Deposits 16 + Advances 7 thousand Crores). The bank
started functioning from the year 1997 and has gained the No.2 position in status in India
after SBI in volume of business turnover within 5 years of its operation. It will be
interesting to know that CMD of ICICI Bank draws annual emoluments of Rs.150 Lakhs,
while CMD of SBI around Rs.4 to 5 Lacs. ICICI is a new age high-tech and fully
computerised bank, while SBI retained its manual operations in totality up to 1993 and
maintained the work force of that time up to 2001, though it is partially computerised
starting from the year 1993.
The per employee turnover for ICICI bank is Rs.2.3 Crores, that for SBI is Rs.1.56
Lakhs. The gap accounts for the difference between manual operations and high-tech
banking. If we project the future in respect of State owned banks, which employ
presently nearly 10 Lakh employees, computerisation is destined to bring about rapid
changes. By about the year 2010 the present turnover of commercial banks in India may
double or even treble to around Rs.30 to 40 Lakh Crores, but these Banks will have no
need of 75 percent (today 25 percent of the work force is subordinate staff, 50 percent is
clerical staff and 25 percent is the
officers) of the existing workforce by 2010. Only in very few hinterland rural pockets
there may be a possibility of a need of the present structure of workforce. The objective
of the recently administered VRS is to prepare for this reality of the first decade of the
New Millennium, where banking will be more tech based and less people based.
Computerisation brings transparency, improves customer care and
customer-service tremendously and reduces substantially scope
for corruption or extending undue favour to particular constituents
and uneven service to others.
CHALLENGES FACED IN COMPUTERISATION
Computerisation is expensive and needs huge investment in hardware and software and
subsequent maintenance. The National Stock Exchange, India's No.1 user in
computerized service has spent Rs.180 Crores to enable investors and brokers across the
country to trade securities online. The rate of obsolescence in respect of both hardware
and software is considerable. New and better products are emerging in the market, whose
use would enable a rival organization to throw a challenge.
Computer crimes are committed widely in the West. India is no less potentially exposed
to this risk, when turnover under Internet banking increases. It is easier to enforce
security of information and accountability of performers in a manual system. But it needs
elaborate steps to incorporate these features in the electronic system.
The structure of legal system is so far based on manual record keeping. It has to provide
for electronic data to be accepted legally as evidence and in contracts. Indian banking has
accepted computerisation since 1993, more out of sheer compulsion and necessity to cope
up increasing overload and incompatibility of the manual system to sustain further
growth. The following pages you are presented a series of articles discussing the various
facets of this momentous event and its far-reaching effects anticipated to unfold in the
coming decade.
AUTOMATED TELLER MACHINES (ATM):
An unattended electronic machine in a public place, connected to a data system and
related equipment and activated by a bank customer to obtain cash withdrawals and other
banking services. Also called automatic teller machine, cash machine; Also called money
machine.
An automated teller machine or automatic teller machine (ATM) is an electronic
computerized telecommunications device that allows a financial institution's customers to
directly use a secure method of communication to access their bank accounts, order or
make cash withdrawals (or cash advances using a credit card) and check their account
balances without the need for a human bank teller (or cashier in the UK). Many ATMs
also allow people to deposit cash or cheques, transfer money between their bank
accounts, top up their mobile phones' pre-paid accounts or even buy postage stamps.
On most modern ATMs, the customer identifies him or herself by inserting a plastic card
with a magnetic stripe or a plastic smartcard with a chip, that contains his or her account
number. The customer then verifies their identity by entering a passcode, often referred to
as a PIN (Personal Identification Number) of four or more digits. Upon successful entry
of the PIN, the customer may perform a transaction. If the number is entered incorrectly
several times in a row (usually three attempts per card insertion), some ATMs will
attempt retain
the card as a security precaution to prevent an unauthorised user from discovering the
PIN by guesswork. Captured cards are often destroyed if the ATM owner is not the card
issuing bank, as noncustomer's identities cannot be reliably confirmed. The Indian market
today has approximately more than 17,000
ATM’s.
TELE BANKING
Undertaking a host of banking related services including financial transactions from the
convenience of customers chosen place anywhere across the GLOBE and any time of
date and night has now been made possible by introducing on-line Telebanking services.
By dialing the given Telebanking number through a
landline or a mobile from anywhere, the customer can access his account and by
following the user-friendly menu, entire banking can be done through Interactive Voice
Response (IVR) system.With sufficient numbers of hunting lines made available,
customer call will hardly fail. The system is bi-lingual and has following
facilities offered
Automatic balance voice out for the default account.
Balance inquiry and transaction inquiry in all
Inquiry of all term deposit account
Statement of account by Fax, e-mail or ordinary mail.
Cheque book request
Stop payment which is on-line and instantaneous
Transfer of funds with CBS which is automatic and
Instantaneous Utility Bill Payments
Renewal of term deposit which is automatic and Instantaneous
Voice out of last five transactions.
SMART CARD
A smart card usually contains an embedded 8-bit microprocessor (a kind of computer
chip). The microprocessor is under a contact pad on one side of the card. Think of the
microprocessor as replacing the usual magnetic stripe present on a credit card or debit
card. The microprocessor on the smart card is there for security. The host computer and
card reader actually "talk" to the Microprocessor. The microprocessor enforces access to
the data on the card.
The chips in these cards are capable of many kinds of transactions. For example, a person
could make purchases from their credit account, debit account or from a stored account
value that's reload able. The enhanced memory and processing capacity of the smart card
is many times that of traditional magnetic-stripe
cards and can accommodate several different applications on a single card. It can also
hold identification information, which means no more shuffling through cards in the
wallet to find the right one -- the Smart Card will be the only one needed. Smart cards
can also be used with a smart card reader attachment
to a personal computer to authenticate a user. Smart cards are much more popular in
Europe than in the U.S. In Europe the health insurance and banking industries use smart
cards extensively. Every German citizen has a smart card for health insurance. Even
though smart cards have been around in their modern form for at least a decade, they are
just starting to take off in the U.S.
DEBIT CARD
Debit cards are also known as check cards. Debit cards look like credit cards or ATM
(automated teller machine) cards, but operate like cash or a personal check. Debit cards
are different from credit cards. While a credit card is a way to "pay later," a debit card is a
way to "pay now." When you use a debit card, your money is quickly deducted from your
checking or savings account. Debit cards are accepted at many locations, including
grocery stores, retail stores, gasoline stations, and restaurants. You can use your card
anywhere merchants display your card's brand name or logo. They offer an alternative to
carrying a checkbook or cash.
Electronic Funds Transfer (EFT):
Electronic Funds Transfer (EFT) is a system of transferring money from one bank
account directly to another without any paper money changing hands. One of the
most widely-used EFT programs is Direct Deposit, in which payroll is deposited
straight into an employee's bank account, although EFT refers to any transfer of funds
initiated through an electronic terminal, including credit card, ATM, Fedwire and
point-of-sale (POS) transactions. It is used for both credit transfers, such as payroll
payments, and for debit transfers, such as mortgage payments.
Transactions are processed by the bank through the Automated Clearing House (ACH)
network, the secure transfer system that connects all U.S. financial institutions. For
payments, funds are transferred electronically from one bank account to the billing
company's bank, usually less than a day after the scheduled payment date.
The growing popularity of EFT for online bill payment is paving the way for a paperless
universe where checks, stamps, envelopes, and paper bills are obsolete. The benefits of
EFT include reduced administrative costs, increased efficiency, simplified bookkeeping,
and greater security. However, the number of companies who send and receive bills
through the Internet is still relatively small.
The U.S. Government monitors EFT compliance through Regulation E of the Federal
Reserve Board, which implements the Electronic Funds Transfer Act (EFTA). Regulation
E governs financial transactions with electronic payment services, specifically with
regard to disclosure of information, consumer liability, error resolution, record retention,
and receipts at electronic terminals.
OTHER FORMS OF ELECTRONIC BANKING
Direct Deposit
Electronic Bill Payment
Electronic Check Conversion
Cash Value Stored, Etc.
Unit-III
E-CHEQUE:
An e-Cheque is the electronic version or representation of paper cheque.
The information and Legal Framework on the E-Cheque is the same as that of
the paper cheque’s.
It can now be used in place of paper cheques to do any and all remote
transactions.An E-cheque work the same way a cheque does, the cheque writer
"writes" the e-Cheque using one of many types of electronic devices and "gives"
the e-Cheque to the payee electronically.
The payee "deposits" the Electronic Cheque receives credit, and the payee's bank "clears"
the e-Cheque to the paying bank. The paying bank validates the e-Cheque and then
"charges" the check writer's account for the check
Magnetic ink character recognition (MICR) is a character recognition system
that uses special ink and characters. MICR technology is generally used by
banks to facilitate the processing and clearance of cheques.
MICR definition
Magnetic ink character recognition is a technology used to verify the
legitimacy or originality of paper documents using special ink which is
sensitive to magnetic fields.
The MICR encoding, called the MICR line, is typically located at the bottom of
a cheque and usually includes the bank code, bank account number, cheque
number, document type indicator etc. When such a document that contains this
special ink encoding needs to be read, it is passed through a machine, which
magnetizes the ink and then converts the magnetic information into characters.
The MICR E-13B font has been adopted as the international standard in ISO
1004:1995. Though CMC-7 font is used in many European countries.
THE INDIAN EXPERIENCE
India is still in the early stages of E-banking growth and development. Competition and
changes in technology and lifestyle, in the last five years have changed the face of
banking. The changes that have taken place impose on banks tough standards of
competition and compliance. The issue here is – 'Where does India stand in the scheme of
Ebanking.' E-banking is likely to bring
a host of opportunities as well as unprecedented risks to the
fundamental nature of banking in India.
The impact of E- Banking in India is not yet apparent. Many global research companies
believe that Ebanking adoption in India in the near future would be slow compared to
other major Asian countries.Indian E-banking is still nascent, although it is fast
becoming a strategic necessity for most commercial banks, as
competition increases from private banks and non banking financial institutions.
Despite the global economic challenges facing the IT software and services sector, the
outlook for the Indian industry remains optimistic.
The Reserve Bank of India has also set up a "Working Group on E-banking to examine
different aspects of E-banking. The group focused on three major areas of E-banking i.e.
(1) Technology and
Security issues (2) Legal issues and (3) Regulatory and Supervisory issues. RBI has
accepted the guidelines of the group and they provide a good insight into the security
requirements of E-banking.
The importance of the impact of technology and information security cannot be doubted.
Technological developments have been one of the key drivers of the global economy and
represent an instrument that if exploited well can boost the efficiency and competitivity
of the banking sector. However, the rapid growth of
the Internet has introduced a completely new level of security related problems. The
problem here is that since the Internet is not a regulated technology and it is readily
accessible to millions of people, there will always be people who want to use it to make
illicit gains. The security issue can be addressed at three levels.
The first is the security of customer information as it is sent from the customer's PC to
the Web server. The second is the security of the environment in which the Internet
banking server and customer information database reside. Third, security measures must
be in place to prevent unauthorized users from attempting to long into the online banking
section of the website. From a legal perspective, security procedure adopted by banks for
authenticating users needs to be recognized by law as a substitute for signature. In India,
the Information Technology Act, 2000, in section 3(2) provides for a particular
technology (viz., the asymmetric crypto system and hash function) as a means of
authenticating electronic record. Any other method used by banks for authentication
should be recognized as a source of legal risk.Regarding the regulatory and supervisory
issues, only such banks which are licensed and supervised and have a physical presence
in India will be permitted to offer E-banking products to residents
of India. With institutions becoming more and more global and compl ex, the nature of
risks in the international financial system has changed. The Regulators themselves who
will now be paying much more attention to the qualitative aspects of risk management
have recognized this.
Though the Indian Government has announced cyber laws, most corporate are not clear
about them, and feel they are insufficient for the growth o f E-commerce. Lack of
consumer protection laws is another issue that needs to be tackled, if people have to feel
more comfortable about transacting online. Taxation of E-commerce transaction has been
one of the most debated issues that are yet to be resolved by India and most other
countries. The explosive growth of e-commerce has led many executives to question how
their companies can properly administer taxes on Internet sales. Without sales tax, online
sellers
get a price advantage over brick and mortar companies. While ecommerce
has been causing loss of tax revenues to the Government, many politicians continue to
insist that the Net must remain tax-free to ensure continued growth, and that collecting
sales taxes on Net commerce could restrict its expansion.
A permanent ban on custom duties on electronic transmissions, international tax rules
that are neutral, simple and certain and simplification of state and local sales taxes. The
Central Board of Direct Taxes, which submitted its report in September 2001,
recommended that e-commerce transaction should be taxed just like traditional
commerce.
Also RBI is about to become the first Government owned digital signature Certifying
Authority (CA) in India. The move is expected to initiate the electronic transaction
process in the banking sector and will have farreaching results in terms of cost and speed
of transactions between government- owned banks.
Thus efficiency, growth and the need to satisfy a growing tech survey
consumer base are three clear rationales for implementing E-banking in India. The four
forces-customers, technology, convergence and globalization have the most important
effect on the Indian financial sector and these changes are forcing banks to redefine their
business models and integrate technology into all
aspect of operation.
Online banking:
Online Banking also known as internet banking, e-banking or virtual banking, is an
electronic payment system that enables customers of a bank or other financial institution
to conduct a range of financial transactions through the financial institution's website.
The online banking system will typically connect to or be part of the core banking system
operated by a bank and is in contrast to branch banking which was the traditional way
customers accessed banking services. Fundamentally and in mechanism, online banking,
internet banking and e-banking are the same thing.
To access a financial institution's online banking facility, a customer with internet access
would need to register with the institution for the service, and set up a password and other
credentials for customer verification. The credentials for online banking is normally not
the same as for telephone or mobile banking. Financial institutions now routinely allocate
customers numbers, whether or not customers have indicated an intention to access their
online banking facility. Customers' numbers are normally not the same as account
numbers, because a number of customer accounts can be linked to the one customer
number. The customer number can be linked to any account that the customer controls,
such as cheque, savings, loan, credit card and other accounts.
The customer visits the financial institution's secure website, and enters the online
banking facility using the customer number and credentials previously set up. The types
of financial transactions which a customer may transact through online banking usually
includes obtaining account balances, lists of the latest transactions, electronic bill
payments and funds transfers between a customer's or another's accounts. Most banks
also enable a customer to download copies of bank statements, which can be printed at
the customer's premises (some banks charge a fee for mailing hardcopies of bank
statements). Some banks also enable customers to download transactions directly into the
customer's accounting software. The facility may also enable the customer to order
cheque-books, statements, report loss of credit cards, stop payment on a cheque, advise
change of address and other routine actions
UNIT – IV
4. E- BANKING SECURITY
4.1 INTRODUCTION
Online banking, also known as internet banking, e-banking or virtual banking, is an
electronic payment system that enables customers of a bank or other financial institution
to conduct a range of financial transactions through the financial institution's website.
The online banking system will typically connect to or be part of the core banking system
operated by a bank and is in contrast to branch banking which was the traditional way
customers accessed banking services. Fundamentally and in mechanism, online banking,
internet banking and e-banking are the same thing.
Internet Products and Services
4.2 NEED FOR SECURITY
Security of a customer's financial information is very important, without which online
banking could not operate. Similarly the reputational risks to the banks themselves are
important.[6] Financial institutions have set up various security processes to reduce the
risk of unauthorized online access to a customer's records, but there is no consistency to
the various approaches adopted.
The use of a secure website has been almost universally embraced.
Though single password authentication is still in use, it by itself is not considered secure
enough for online banking in some countries. Basically there are two different security
methods in use for online banking:
The PIN/TAN system where the PIN represents a password, used for the login
and TANs representing one-time passwords to authenticate transactions. TANs
can be distributed in different ways, the most popular one is to send a list of
TANs to the online banking user by postal letter. Another way of using TANs is
to generate them by need using a security token. These token generated TANs
depend on the time and a unique secret, stored in the security token (two-factor
authentication or 2FA).
More advanced TAN generators (chipTAN) also include the transaction data into
the TAN generation process after displaying it on their own screen to allow the
user to discover man-in-the-middle attacks carried out by Trojans trying to
secretly manipulate the transaction data in the background of the PC.[7]
Another way to provide TANs to an online banking user is to send the TAN of the
current bank transaction to the user's (GSM) mobile phone via SMS. The SMS
text usually quotes the transaction amount and details, the TAN is only valid for a
short period of time. Especially in Germany, Austria and the Netherlands many
banks have adopted this "SMS TAN" service.
Usually online banking with PIN/TAN is done via a web browser using SSL
secured connections, so that there is no additional encryption needed.
Signature based online banking where all transactions are signed and encrypted
digitally. The Keys for the signature generation and encryption can be stored on
smartcards or any memory medium, depending on the concrete implementation
Security Login ID and Password or PIN
Do not disclose Login ID and Password or PIN
Do not store Login ID and Password or PIN on the computer
Regularly change password or PIN and avoid using easy-to-guess passwords such
as names or birthdays. Password should be a combination of characters
(uppercase and lowercase) and numbers and should be at least 6 digits in length
The same Password should not be used for different websites, applications or
services.
Keep personal information private
Do not disclose personal information such as address, mother’s maiden name,
telephone number, social security number, bank account number or e-mail address
– unless the one collecting the information is reliable and trustworthy
Keep records of online transactions
Regularly check transaction history details and statements to make sure that there
are no unauthorized transactions
Review and reconcile monthly credit card and bank statements for any errors or
unauthorized transactions promptly and thoroughly
Check e-mail for contacts by merchants with whom one is doing business.
Merchants may send important information about transaction histories
Immediately notify the bank if there are unauthorized entries or transactions in the
account
Check for the right and secure website
Before doing any online transactions or sending personal information, make sure
that correct websites has been accessed. Beware of bogus or “look alike” websites
which are designed to deceived consumers
Check if the website is “secure” by checking the Universal Resource Locators
(URLs) which should begin with “https” and a closed padlock icon on the status
bar in the browser is displayed. To confirm authenticity of the site, double-click
on the lock icon to display a security certificate information of the site
Always enter the URL of the website directly into the web browser. Avoid being
re-directed to the website, or hyperlink to it from a website that may not be as
secure
If possible, use software that encrypts or scrambles the information when sending
sensitive information or performing e-banking transactions online
Protect personal computer from hackers, viruses and malicious programs
Install a personal firewall and a reputable anti-virus program to protect personal
computer from virus attacks or malicious programs
Ensure that the anti-virus program is updated and runs at all times
Always keep the operating system and the web browser updated with the latest
security patches, in order to protect against weaknesses or vulnerabilities
Always check with an updated anti-virus program when downloading a program
or opening an attachment to ensure that it does not contain any virus
Install updated scanner softwares to detect and eliminate malicious programs
capable of capturing personal or financial information online
Never download any file or software from sites or sources, which are not familiar
or hyperlinks sent by strangers. Opening such files could expose the system to a
computer virus that could hijack personal information, including password ort
PIN
Do not leave computer unattended when logged-in
Log-off from the internet banking site when computer is unattended, even if it is
for a short while
Always remember to log-off when e-banking transactions have been completed
Clear the memory cache and transaction history after logging out from the website
to remove account information. This would avoid incidents of the stored
information being retrieved by unwanted parties
Avoid selecting a browser for storing or retaining username and password
Check the site’s privacy policy and disclosures
Read and understand website disclosures specifically on refund, shipping, account
debit/credit policies and other bank terms and conditions
Before providing any personal financial information to a website, determine how
the information will be used or shared with others
Check the site’s statements about the security provided for the information
divulged
Some websites’ disclosures are easier to find than others –look at the bottom of
the home page, on order forms or in the “About” or “FAQs” section of a site. If
the customer is not comfortable with the policy, consider doing business
elsewhere
Other internet security measures
Do not send any personal information particularly password or PIN via ordinary
Do not open other browser windows while banking online
Avoid using shared or public personal computers in conducting e-banking
transactions
Disable the “file and printer sharing” feature on the operating system if
conducting banking transactions online
Contact the banking institution to discuss security concerns and remedies to any
online e-banking account issues
Delete junk or chain emails immediately
Perform regular back-up of critical data
4.2.1 Other Electronic Products
Automated Teller Machine (ATM) and debit cards
Use ATMs that are familiar or that are in well-lit locations where one feels
comfortable. If the machine is poorly lit or it is in a hidden area, use another ATM
Have card ready before approaching the ATM. Avoid having to go through the
wallet or purse to find the card
Do not use ATMs that appear to have been tampered with or otherwise altered.
Report such condition to the bank
Memorize ATM personal identification number (PIN) and never disclose it with
anyone. Do not keep those numbers or passwords in the wallet or purse. Never
write them on the cards themselves. And avoid using easily available personal
information like a birthday, nickname, mother’s maiden name or consecutive
numbers.
Be mindful of “shoulder surfers” when using ATMs. Stand close to the ATM and
shield the keypad with hand when keying in the PIN and transaction amount
If the ATM is not working correctly, cancel the transaction and use a different
ATM. If possible, report the problem to the bank
Carefully secure card and cash in the wallet, handbag, or pocket before leaving
the ATM
Do not leave the receipt behind. Compare ATM receipts to monthly statement. It
is the best way to guard against fraud and it makes record-keeping easier
Do not let other people use your card. If card is lost or stolen, report the incident
immediately to the bank
Mobile Banking
Do not disclose you Mobile Banking PIN (MPIN) to anyone.
Regularly change the MPIN
Do not let other people use your mobile phone enrolled in a mobile banking
service. If the phone is lost or stolen, report the incident immediately to the bank
Be vigilant. Refrain from doing mobile banking transactions in a place where you
observe the presence of “shoulder surfers”
Keep a copy of the transaction reference number provided by the Bank whenever
you perform a mobile banking transaction as an evidence that the specific
transaction was actually executed
4.3 SECURITY CONCEPTS
Know Thy System
Perhaps the most important thing when trying to defend a system is knowing that
system. It doesn’t matter if it’s a castle or a Linux server — if you don’t know the
ins and outs of what you’re actually defending, you have little chance of being
successful.
An good example of this in the information security world is knowledge of
exactly what software is running on your systems. What daemons are you
running? What sort of exposure do they create? A good self-test for someone in a
small to medium-sized environment would be to randomly select an IP from a list
of your systems and see if you know the exact list of ports that are open on the
machines.
A good admin should be able to say, for example, “It’s a web server, so it’s only
running 80, 443, and 22 for remote administration; that’s it.” — and so on and so
on for every type of server in the environment. There shouldn’t be any surprises
when seeing port scan results.
What you don’t want to hear in this sort of test is, “Wow, what’s that port?”
Having to ask that question is a sign that the administrator is not fully aware of
everything running on the box in question, and that’s precisely the situation we
need to avoid.
Least Privilege
The next über-important concept is that of least privilege. Least privilege simply
says that people and things should only be able to do what they need to do their
jobs, and nothing else. The reason I include “things” is that that admins often
configure automated tasks that need to be able to do certain things — backups for
example. Well, what often happens is the admin will just put the user doing the
backup into the domain admins group — even if they could get it to work another
way. Why? Because it’s easier.
Ultimately this is a principle that is designed to conflict directly with human
nature, i.e. laziness. It’s always more difficult to give granular access that allows
only specific tasks than it is to give a higher echelon of access that includes what
needs to be accomplished.
This rule of least privilege simply reminds us not to give into the temptation to do
that. Don’t give in. Take the time to make all access granular, and at the lowest
level possible.
Defense In Depth
Defense In Depth is perhaps the least understood concept out of the four. Many
think it’s simply stacking three firewalls instead of one, or using two antivirus
programs rather than one. Technically this could apply, but it’s not the true nature
of Defense In Depth.
The true idea is that of stacking multiple types of protection between an attacker
and an asset. And these layers don’t need to be products — they can be
applications of other concepts themselves, such as least privilege.
Let’s take the example of an attacker on the Internet trying to compromise a web
server in the DMZ. This could be relatively easy given a major vulnerability, but
with an infrastructure built using Defense In Depth, it can be significantly more
difficult.
The hardening of routers and firewalls, the inclusion of IPS/IDS, the hardening of
the target host, the presence of host-based IPS on the host, anti-virus on the host,
etc. — any of these steps can potentially stop an attack from being fully
successful.
The idea is that we should think in reverse — rather than thinking about what
needs to be put in place to stop an attack, think instead of what all has to happen
for it to be successful. Maybe an attack had to make it through the external router,
the firewall, the switch, get to the host, execute, make a connection outbound to a
host outside, download content, run that, etc, etc.
What if any of those steps were unsuccessful? That’s the key to Defense In Depth
— put barriers in as many points as possible. Lock down network ACLs. Lock
down file permissions. Use network intrusion prevention, use intrusion detection,
make it more difficult for hostile code to run on your systems, make sure your
daemons are running as the least privileged user, etc, etc.
The benefit is quite simple — you get more chances to stop an attack from
becoming successful. It’s possible for someone to get all the way in, all the way to
the box in question, and be stopped by the fact that malicious code in question
wouldn’t run on the host. But maybe when that code is fixed so that it would run,
it’ll then be caught by an updated IPS or a more restrictive firewall ACL. The idea
is to lock down everything you can at every level. Not just one thing, everything
— file permissions, stack protection, ACLs, host IPS, limiting admin access,
running as limited users — the list goes on and on.
The underlying concept is simple — don’t rely on single solutions to defend your
assets. Treat each element of your defense as if it were the only layer. When you
take this approach you’re more likely to stop attacks before they achieve their
goal.
Prevention Is Ideal, But Detection Is A Must
The final concept is rather simple but extremely important. The idea is that while
it’s best to stop an attack before it’s successful, it’s absolutely crucial that you at
least know it happened. As an example, you may have protections in place that try
and keep code from being executed on your system, but if code is executed and
something is done, it’s critical that you are alerted to that fact and can take action
quickly.
The difference between knowing about a successful attack within 5 or 10 minutes
vs. finding out about it weeks later is astronomical. Often times having the
knowledge early enough can result in the attack not being successful at all, i.e.
maybe they get on your box and add a user account, but you get to the machine
and take it offline before they are able to do anything with it.
Regardless of the situation, detection is an absolute must because there’s no
guarantee that you’re prevention measures are going to be successful.
4.4 CYBER CRIME
Cyber crime is a digital wrong doing. Any illegal activities committed using a computer
or by using the net is known as cyber crime. Digital criminal acts are a variety of
wrongdoings, which utilize machines and network systems for criminal exercises. The
distinction between customary unlawful acts (Traditional crime) and digital wrong doings
is the digital law violations can be transnational in nature. Cyber crime is a crime that is
committed online in many areas using network and e-commerce. A computer can be the
used for an offense when an unapproved access of computer system happens and on the
other hand it influences ecommerce.
Cyber crimes can be of different types, for example, Telecommunications Piracy,
Electronic Money Laundering and Tax Evasion, Sales and Investment Fraud, Electronic
Funds Transfer Fraud etc. The present contemporary period has replaced the customary
fiscal instruments from a paper and metal based money to plastic cash as a Master card,
credit card, debit card etc. This has brought about the expanding utilization of ATM
everywhere throughout the world. The utilization of ATM is safe as well as advantageous
and also convenient. As we all know that every coin has its two side same way in ATM
system which is also known as plastic cash is safe and convenient but on the other side
which can also be said as the evil side consist of misuse of the same. This shrewd side of
the ATM System is
reflected as ATM cheats or ATM frauds that is a worldwide burning issue. Cyber crime is
emerging as a serious threat. Worldwide governments, police departments and
intelligence units have started to react.
The Information Communication Technology (ICT) has revolutionalized different aspects
of human life and has made our lives simpler. It has been applied in different industries
and has made business processes simpler by sorting, summarizing, coding, and
customizing the processes. However, ICT has brought unintended consequences in form
of different cybercrimes. Cybercrimes have affected different sectors among which
banking sector is one of them which have witnessed different forms of cybercrimes like
ATM frauds, Phishing, identity theft, Denial of Service.
4.4.1 Cyber crime in banking sector
In today’s globalise world to narrow down the world, banking sector provides many
facilities to their clients and customers facilities like internet banking, credit card
facilities debit card facilities online transfer by this all kind of facilities banks customer
can use bank facilities 24 hours and also they can easily transect and easily operate their
account from any place of the world with the help of net and mobile. As we all known
that as this facilities are beneficial for the customer but it also have an evil side in which
hackers and thefts are included. They make the misuse of such facilities and by hacking
banking sites and customers account make a mess up in accounts and also make a
robbery of the money from the customer’s account for which the best example was the
recent situation in which one of the hacker just take one rupee from the each account but
by such one rupee he has collected lots of money. There are also many other frauds and
cyber crime made in banking sectors which are mentioned below1
4.4.2 Types of cyber crime in banking sector:-
Hacking
"Hacking" is a crime, which means an unauthorized access made by a person to cracking
the systems or an attempt to bypass the security mechanisms, by hacking the banking
sites or accounts of the customers. The Hacking is not defined in the amended IT Act,
2000.2 But under Section 43(a) read with section 66 of Information Technology
(Amendment) Act, 2008 and Section 379 & 406 of Indian Penal Code, 1860 a person or a
hacker can be punished. If such crime is proved then for such hacking offence the accuse
is punished under IT Act, for imprisonment, which may extend to three years or with
fine, which may be extended to five lakh rupees or both. Hacking offence is considered
as a cognizable offence, it also a bailable offence.
Credit card fraud.
There are many online credit card fraud are made when a customer use their credit card
or debit card for any online payment, a person who had a mala fide intention use such
cards detail and password by hacking and make misuse of it for online purchase for
which the customers card used or hacked is suffered for such kind of attract or action of a
fraud made by and evil3.
If electronic transactions are not secured the credit card numbers can be stolen by the
hackers who can misuse this card by impersonating the credit card owner. Email Fraud In
present period of life e-mail and websites are become a speedy, easy and preferred means
of communication. some times by email fraud is made some of the hacker or a evil
organization send email to bank customers that “congratulation you have won such a
huge amount to enchase it please share your bank details” and by such customer simply
have to type credit card number into www page off the vendor for online transaction or
for enchase of such kind of amount then hacker make a miss use of such detail and make
a crime which is also known as cyber crime as per law.
Phishing
Phishing is only one of the numerous frauds on the Internet, attempting to trick
individuals into separating with their cash. Phishing alludes to the receipt of spontaneous
messages by customers of financial institutions, asking for them to enter their username,
secret word or other individual data to access their account for some reason. customers
are directed to give a response to a mail and also directed to click on the link mentioned
in the mail when they click on the given link for entering their information which were
asked in the mail received by the fraudulent institution's of banking website, by such kind
of activities customers thus they remain unaware that the fraud has happened with them.
The fraudster then has admittance to the client's online financial balance available in the
bank account and to the funds contained in that account by making the misuse of the
detail received from the customer fraudulently. 4 F-Secure Corporation's outline of
'information security' dangers amid the first 50% of 2007 has uncovered that the study
discovered the banking industry as vulnerable objective for
phishing tricks in India
Financial Fraud
Financial Fraud in UK, an industry body, says British misfortunes from web and phone
managing account extortion climbed 59 for every penny to £35.9m in the initial six
months of the year. It says that reports of fishing attacks indicate it is one of the quickest
developing sorts of extortion. In response the banks have called for UK telecom groups to
reduce the time people can stay on the line after someone else hangs up. By next year,
most telecom operators will have cut the disconnection time to two seconds. Accordingly
the banks have called for UK telecom groups to reduce the time individuals can stay
hanging before anyone else hangs up. By one year from now, most telecom
administrators will have sliced the disengagement time to two seconds.
4.4.3 Cyber security
Specialists say banks confront four wide sorts of risk. First, country and states use
surveillance to both, take intellectual capital from banks and to destabilize them.
Secondly, banks are a prime focus for cyber terrorists looking to strike against images of
western capitalism. Third, purported "hacktivists" consistently make crafty endeavours to
break into banks' IT organizes, normally to win more attention for their reason.5 At long
last, sorted out wrongdoing has to a great extent moved from taking cash through
conventional bank heists to utilizing different means, for example, on the web, phone and
card misrepresentation, which are harder to identify. 6 Banks say controllers, for
example, the Bank of England and the US Federal Reserve have been pushing them to
distinguish dangers and testing their cyber strength with a project of alleged "ethical
hacking".
4.5 REASONS FOR PRIVACY
WHAT DOES DISCOVER BANKDO WITH YOUR PERSONAL INFORMATION?
Why? Financial companies choose how they share your personal information.
Federal law gives consumers the right to limit some but not all sharing.
Federal law also requires us to tell you how we collect, share, and protect
your personal information. Please read this notice carefully to understand
what we do.
What? The types of personal information we collect and share depend on the product or
service you have with us. This information can include:
Social Security number and account transactions
account balances and payment history
transaction history and credit history
How? All financial companies need to share customers' personal information to run
their everyday business. In the section below, we list the reasons financial
companies can share their customers' personal information; the reasons
Discover Bank chooses to share; and whether you can limit this sharing.
Reasons we can share your personal information
Does
Discover
Bank share?
Can you
limit this
sharing?
For our everyday business purposes — such as to process
your transactions, maintain your account(s), respond to
court orders and legal investigations, or report to credit
bureaus
Yes No
For our marketing purposes — to offer our products and
services to youYes No
For joint marketing with other financial companies Yes No
For our affiliates' everyday business purposes —Yes No
Reasons we can share your personal information
Does
Discover
Bank share?
Can you
limit this
sharing?
information about your transactions and experiences
For our affiliates' everyday business purposes —
information about your creditworthinessYes Yes
For our affiliates to market to you Yes Yes
For nonaffiliates to market to you Yes* Yes
4.6 TAMPERING
In e-banking systems, the authorizations and access rights can be established in either a
centralized or distributed manner within a bank and are generally stored in databases. The
protection of those databases from tampering or corruption is therefore essential for
effective authorization control.
As e-banking is transacted over public networks, transactions are exposed to the added
threat of data corruption, fraud and the tampering of records. Accordingly, banks should
ensure that appropriate measures are in place to ascertain the accuracy, completeness and
reliability of e-banking transactions, records and information that is either transmitted
overthe Internet, resident on internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank.28 Common practices used to maintain data
integrity within an e-banking environment include the following:
E-banking transactions should be conducted in a manner that makes them highly
resistant to tampering throughout the entire process.
E-banking records should be stored, accessed and modified in a manner that
makes them highly resistant to tampering.
E-banking transaction and record-keeping processes should be designed in a
manner as to make it virtually impossible to circumvent detection of unauthorized
changes.
Adequate change control policies, including monitoring and testing procedures,
should be in place to protect against any e-banking system changes that may
erroneously or unintentionally compromise controls or data reliability.
Any tampering with e-banking transactions or records should be detected by
transaction processing, monitoring and record keeping functions.
4.7 DATA ENCRYPTION STANDARD (DES)
The Data Encryption Standard (DES) is a symmetric-key block cipher published by the
National Institute of Standards and Technology (NIST). DES is an implementation of a
Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit.
Since DES is based on the Feistel Cipher, all that is required to specify DES is −
Round function
Key schedule
Any additional processing − Initial and final permutation
4.7.1 DES ANALYSIS
The DES satisfies both the desired properties of block cipher. These two properties make
cipher very strong.
Avalanche effect − A small change in plaintext results in the very grate change in
the ciphertext.
Completeness − Each bit of ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when key
selected are weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no significant
cryptanalytic attacks on DES other than exhaustive key search.
UNIT V
5.1 E-BUILDER SOLUTIONS
E-Builder is a construction program management solution that manages capital program
cost, schedule, and documents through a world-class workflow and business intelligence.
e-Builder is a complete solution designed at its core to deliver control and reduce suprises
for owners of capital programs.
As an owner-centric project information management system, e-Builder is the trusted
central repository and becomes a knowledge-base for improving performance. It allows
owners to measure and manage every step of the capital project delivery process from
planning, design, procurement, construction and operations. As a cloud-based program
management solution, owners benefit from reduced cycle times, hard-dollar cost savings,
mitigated risks and exceptional productivity.
Custom Software Configuration
Whether your organization’s processes are mature or in the initial phases of design, E-
Builder will provide recommendations and tailored solutions that meet your needs so you
get the greatest return on investment possible.
E-Builder configures its cloud-based program management solution for your organization
to optimize your construction project.
5.2 DIGITAL SIGNATURES
A digital code (generated and authenticated by public key encryption) which is attached
to an electronically transmitted document to verify its contents and the sender's identity.
How digital signatures work
Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm such as RSA, one can generate two keys that
are mathematically linked: one private and one public. To create a digital signature,
signing software (such as an email program) creates a one-way hash of the electronic data
to be signed. The private key is then used to encrypt the hash. The encrypted hash --
along with other information, such as the hashing algorithm -- is the digital signature. The
reason for encrypting the hash instead of the entire message or document is that a hash
function can convert an arbitrary input into a fixed length value, which is usually much
shorter. This saves time since hashing is much faster than signing.
The value of the hash is unique to the hashed data. Any change in the data, even changing
or deleting a single character, results in a different value. This attribute enables others to
validate the integrity of the data by using the signer's public key to decrypt the hash. If
the decrypted hash matches a second computed hash of the same data, it proves that the
data hasn't changed since it was signed. If the two hashes don't match, the data has either
been tampered with in some way (integrity) or the signature was created with a private
key that doesn't correspond to the public key presented by the signer (authentication).
A digital signature can be used with any kind of message -- whether it is encrypted or not
-- simply so the receiver can be sure of the sender's identity and that the message arrived
intact. Digital signatures make it difficult for the signer to deny having signed something
(non-repudiation) -- assuming their private key has not been compromised -- as the
digital signature is unique to both the document and the signer, and it binds them
together. A digital certificate, an electronic document that contains the digital signature of
the certificate-issuing authority, binds together a public key with an identity and can be
used to verify a public key belongs to a particular person or entity.
If the two hash values match, the message has not been tampered with, and the receiver
knows the message is from sender.
Most modern email programs support the use of digital signatures and digital certificates,
making it easy to sign any outgoing emails and validate digitally signed incoming
messages. Digital signatures are also used extensively to provide proof of authenticity,
data integrity and non-repudiation of communications and transactions conducted over
the Internet.
5.2.1 DIGITAL SIGNATURE CERTIFICATES
Digital Signature Certificates (DSC) are the digital equivalent (that is electronic format)
of physical or paper certificates.
How to get a Digital Signature Certificate?
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to
Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can
approach any one of the seven CAs for getting Digital Signature Certificate. The website
addresses are given below.
www.safescrypt.com
www.nic.in
www.idrbtca.org.in
www.tcs-ca.tcs.co.in
www.ncodesolutions.com
www.e-Mudhra.com
5.3 ELECTRONIC SIGNATURE
An electronic signature, or e-signature, refers to data in electronic form, which is
logically associated with other data in electronic form and which is used by the signatory
to sign. This type of signature provides the same legal standing as a handwritten signature
as long as it adheres to the requirements of the specific regulation it was created under
(e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).
Electronic Signature symbols or other data in digital form attached to an electronically
transmitted document as verification of the sender’s intent to sign the document. The new
rules will make electronic signatures acceptable and speed up the application process.
Increasingly, digital signatures are used in e-commerce and in regulatory filings to
implement electronic signature in a cryptographically protected way. Standardization
agencies like NIST or ETSI provide standards for their implementation (e.g., NIST-DSS,
XAdES or PAdES).[3][5] The concept itself is not new, with common law jurisdictions
having recognized telegraph signatures as far back as the mid-19th century and faxed
signatures since the 1980s.
An electronic signature is intended to provide a secure and accurate identification method
for the signatory to provide a seamless transaction. Definitions of electronic signatures
vary depending on the applicable jurisdiction. A common denominator in most countries
is the level of an Advanced Electronic Signature requiring that:
1. The signatory can be uniquely identified and linked to the signature
2. The signatory must have sole control of the private key that was used to create the
electronic signature
3. The signature must be capable of identifying if its accompanying data has been
tampered with after the message was signed
4. In the event that the accompanying data has been changed, the signature must be
invalidate.
Electronic signatures may be created with increasing levels of security, with each having
its own set of requirements and means of creation on various levels that prove the validity
of the signature. To provide an even stronger probative value than the above described
advanced electronic signature, some countries like the European Union or Switzerland
introduced the qualified electronic signature. It is difficult to challenge the authorship of a
statement signed with a qualified electronic signature - the statement is non-reputable.
Technically, a qualified electronic signature is implemented through an advanced
electronic signature that utilizes a digital certificate, which has been encrypted through a
security signature-creating device.
5.4 E-SECURITY SOLUTIONS
ESecurity Solutions has been providing serious security solutions to businesses since
2003 by providing a full complement of services and products that will help you to
achieve your security goals.
Starting with security risk assessments, we can audit your security strategy and
implementation and provide you with a prioritized list of vulnerabilities and required
solutions. Our expert managed security services offload the difficult and time consuming
task of implementing and managing your security. Our security services are designed to
meet your regulation compliance and security objectives. We are fluent in all major
security regulations such as HIPAA, PCI, banking regulations, and international
standards such as ISO.
ESecurity Solutions will:
Have a strong, well balanced security strategy
Leverage 13 years of security experience
Have a robust security defense, monitoring, and management program
Be able to focus on other areas of IT – so you can grow your business
Sleep at night – Knowing that you have an expert partner
When you confront data protection challenges, you may know exactly what you need—or
you may find the many different approaches somewhat bewildering. Whether you are
highly experienced with cryptography or just getting started, be assured that Thales e-
Security has designed products and services with your business and technology
requirements in mind. Our experts have created these solutions pages to help you gain a
deeper understanding of today’s and tomorrow’s data protection challenges and to find
the Thales products and services that can help you overcome them. Explore our wide
array of solutions for your toughest data security challenges.
5.4.1 Data Security and Protection Strategy: Today’s Challenge
Data security and the challenge of data protection is increasing in scope—and difficulty.
While organizations have long needed to safeguard intellectual property and confidential
information, changes in information technology and business models introduce new
actors, new threats, and new regulations. As a result, organizations need to think beyond
the traditional models of securing the perimeter and locking down specific segments of
IT infrastructure in order to formulate their data protection goals. Some inherent
challenges include:
Protecting others’ information as well as your own. Consumers’ increased
awareness of security breaches and privacy issues in general brings into sharp
focus the fact that almost any information can be stolen and misused. To sustain
business relationships, organizations must be able to assure customers and
partners that their information will be safe.
Understanding who—and what—to trust. Organizations are steadily losing
control over their systems and workforce. The trend toward virtualization,
outsourcing, use of contract staff, and arrival of consumer devices in the
workplace all make it harder for organizations to impose policies and monitor
compliance. It is inevitable that sensitive information will exist in systems and
devices or in the hands of users over which the organization has limited control.
Staying ahead of attackers. The persistence and sophistication of attacks rise with
the potential reward. Malicious individuals and malware—malicious programs—
come in many varieties. The term Advanced Persistent Threats (APTs) has come
to represent the most sophisticated forms of malware. Consumer data is an
especially attractive target that tends to grab the headlines. But many other kinds
of information—such as product formulas, business strategies, or other
commercial secrets are also at substantial risk.
Knowing which regulations and standards apply. Governments and industry
bodies have created laws, regulations, and standards to motivate organizations to
protect the privacy and confidentiality of information. Responsibilities can vary
widely by region and by industry, with many organizations facing multiple and
inconsistent mandates, resulting in uncertainty and confusion. When faced with a
security incident, ill-prepared organizations have little choice but to disclose
everything—just in case.
5.4.2 RISKS
Failure to deploy effective data protection measures can leave an organization
open to attack, but building your plan before completing basic data discovery and
classification will lead at best to a partial solution.
Data protection goes beyond confidentiality and privacy; plans should also
address threats to data integrity through modification or substitution that could
result in follow-on attacks with much greater impact than the loss of individual
data records.
Data flows and usage patterns frequently span multiple organizational silos and
management domains, making it difficult to establish consistency and sometimes
exposing “air-gaps” or weak links between difference security regimes.
Deploying cumbersome security measures can result in needless tradeoffs
between security and operational efficiency—or security and cost.
Successful data protection is a moving target—ever-changing privacy regulations,
new and advanced attack methods, and the shifting IT environment all drive the
need to re-evaluate data protection strategies frequently.
5.4.3 Data Protection Strategy: Thales e-Security Solutions
All products and services from Thales e-Security have one goal: to help businesses,
governments, and other organizations succeed in overcoming today’s and tomorrow’s
complex data protection challenges. We provide proven security products and services
that seek to maximize operational efficiency, minimize total cost of ownership, and keep
organizations agile as requirements, regulations, IT systems change over time. The
bottom line: making a system more secure must not make it less reliable or scalable. No
organization can afford that kind of security.
Thales solutions span five critical areas: hardware security modules (HSMs), network
encryption, key management, time stamping, and identity management. We work closely
not only with the businesses and governments that use our products and services, but also
with many technology partners throughout the world—including OEM partners who
embed our technology in their own products. We test our products with common security
and business applications in order to pre-qualify our solutions and accelerate deployment
for our customers. All our products are independently certified to meet FIPS, Common
Criteria, or other security standards, enabling our customers to deploy effective data
protection solutions with confidence.
Thales believes that bringing higher levels of assurance to business systems must go
beyond just incremental improvement of security to minimize the disruption of business
operations in the event of an attack. We help organizations minimize the risk of error,
automate processes for greater efficiency, and recover more easily when incidents occur.
Furthermore, we focus on system performance and scale by addressing bottlenecks that
can be created by the introduction of cryptographic processes such as encryption and
digital signing. By taking advantage of Thales products and expert consulting services to
understand the spectrum of risk to their sensitive data and applications—and mitigate the
most serious risks—many businesses and government agencies around the world are
improving protection of their critical data assets and more effectively aligning operations
with their strategic goals and obligations.
Benefits:
Work with leading experts in data protection and key management.
Take advantage of proven products in a broad range of data protection arenas.
Increase confidence—rely on products that have been independently certified.
Choose from a variety of deployment options—purchase only the capacity you
need today, then upgrade easily over time as your needs change.
Accelerate deployments—Thales works with a broad range of technology partners
to ensure interoperability with leading commercial systems and applications.
5.5 E-LOCKING TECHNIQUE
An electronic lock (or electric lock) is a locking device which operates by means of
electric current. Electric locks are sometimes stand-alone with an electronic control
assembly mounted directly to the lock. Electric locks may be connected to an access
control system, the advantages of which include: key control, where keys can be added
and removed without re-keying the lock cylinder; fine access control, where time and
place are factors; and transaction logging, where activity is recorded. Electronic locks can
also be remotely monitored and controlled, both to lock and unlock.
Electric locks use magnets, solenoids, or motors to actuate the lock by either supplying or
removing power. Operating the lock can be as simple as using a switch, for example an
apartment intercom door release, or as complex as a biometric based access control
system.
E-Lock is a leading provider of digital and electronic signature solutions,
empowering businesses across the globe to go paperless conveniently and
securely.
While ensuring security and legal compliance, our dSig and eSig solutions
provide an easy, user-friendly way to authenticate documents, content and
transactions.
E-Lock electronic and digital signature solutions can be integrated with any
existing application, software or workflow.
5.6 E-LOCKING SERVICES
The ELocker's electromagnetic locking mechanism is the next generation of aftermarket
differential technology. Performs as an open differential until you decide that you need
more traction. Eaton ELocker is your push button solution to almost any traction
problem.
Designed expressly for 4-wheel drive systems to give you the ability to lock or unlock the
differentials when necessary. When locked the Eaton ELocker performs as a full locker,
capturing 100% of available torque and sending it equally to both ends of the axle.
The ELocker is built with precision-forged gears that are designed to mesh perfectly,
providing improved strength and durability over a standard cut gear. Its ease of
installation, reliability and push-button activation make ELocker an absolute must for all
traction and off-road performance applications.
There are two basic types of locks: "preventing mechanism" or operation mechanism.
Electromagnetic lock
The most basic type of electronic lock is a magnetic lock (commonly called a "mag
lock"). A large electro-magnet is mounted on the door frame and a corresponding
armature is mounted on the door. When the magnet is powered and the door is closed, the
armature is held fast to the magnet. Mag locks are simple to install and are very attack-
resistant. One drawback is that improperly installed or maintained mag locks can fall on
people and also that one must unlock the mag lock to both enter and to leave. This has
caused fire marshals to impose strict rules on the use of mag locks and access control
practice in general. Additionally, NFPA 101 (Standard for Life Safety and Security), as
well as the ADA (Americans with Disability Act) require "no prior knowledge" and "one
simple movement" to allow "free egress". This means that in an emergency, a person
must be able to move to a door and immediately exit with one motion (requiring no push
buttons, having another person unlock the door, reading a sign, or "special knowledge").
Electronic strikes
Electric strikes (also called electric latch release) replace a standard strike mounted on the
door frame and receive the latch and latch bolt. Electric strikes can be simplest to install
when they are designed for one-for-one drop-in replacement of a standard strike, but
some electric strike designs require that the door frame be heavily modified. Installation
of a strike into a fire listed door (for open backed strikes on pairs of doors) or the frame
must be done under listing agency authority, if any modifications to the frame are
required (mostly for commercial doors and frames). In the US, since there is no current
Certified Personnel Program to allow field installation of electric strikes into fire listed
door openings, listing agency field evaluations would most likely require the door and
frame to be de-listed and replaced.
Electric strikes can allow mechanical free egress: a departing person operates the lockset
in the door, not the electric strike in the door frame. Electric strikes can also be either
"fail unlocked" (except in Fire Listed Doors, as they must remain latched when power is
not present), or the more-secure "fail locked" design. Electric strikes are easier to attack
than a mag lock. It is simple to lever the door open at the strike, as often there is an
increased gap between the strike and the door latch. Latch guard plates are often used to
cover this gap.
5.7 PUBLIC KEY INFRASTRUCTURE
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-
key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of
information for a range of network activities such as e-commerce, internet banking and
confidential email. It is required for activities where simple passwords are an inadequate
authentication method and more rigorous proof is required to confirm the identity of the
parties involved in the communication and to validate the information being transferred.
In cryptography, a PKI is an arrangement that binds public keys with respective identities
of entities (like persons and organizations). The binding is established through a process
of registration and issuance of certificates at and by a certificate authority (CA).
Depending on the assurance level of the binding, this may be carried out by an automated
process or under human supervision.
The PKI role that assures valid and correct registration is called registration authority
(RA). An RA is responsible for accepting requests for digital certificates and
authenticating the entity making the request.[3] In a Microsoft PKI, a registration authority
is usually called a subordinate CA.
An entity must be uniquely identifiable within each CA domain on the basis of
information about that entity. A third-party validation authority (VA) can provide this
entity information on behalf of the CA.
5.7.1 Design
Public key cryptography is a cryptographic technique that enables entities to securely
communicate on an insecure public network, and reliably verify the identity of an entity
via digital signatures.
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of
digital certificates which are used to verify that a particular public key belongs to a
certain entity. The PKI creates digital certificates which map public keys to entities,
securely stores these certificates in a central repository and revokes them if needed.
A PKI consists of:[7][9][10]
A certificate authority (CA) that stores, issues and signs the digital certificates
A registration authority which verifies the identity of entities requesting their
digital certificates to be stored at the CA
A central directory—i.e., a secure location in which to store and index keys
A certificate management system managing things like the access to stored
certificates or the delivery of the certificates to be issued.
A certificate policy
5.8. FIREWALLS SECURE LEDGER
A firewall is a program or device that acts as a barrier to keep destructive elements out of
a network or specific computer. Firewalls are configured (in hardware, software, or both)
with specific criteria to block or prevent unauthorized access to a network.
They work as filters for your network traffic by blocking incoming packets of
information that are seen as unsafe. In large corporations, if a firewall is not in place,
thousands of computers could be vulnerable to malicious attacks. Firewalls should be
placed at every connection to the internet and are also used to control outgoing web
traffic as well in large organizations.
Firewalls use several strategies to control traffic flowing in and out of networks. Packet
filtering is when small chunks of data (called packets) are run through a filter and
analyzed. Stateful inspection is where the contents of each packet are not examined, but
instead key parts of the packet are compared to a database of trusted information, letting
through the packets that pass this test. Firewalls can be configured to filter by several
variables: IP address, domain name, protocol, port or even specific words or phrases.
Though some operating systems come with a built-in firewall, internet routers also
provide very affordable firewall protection when configured properly.
5.9 SECURE ELECTRONIC TRANSACTION
Secure Electronic Transaction (SET) was a communications protocol standard for
securing credit card transactions over insecure networks, specifically, the Internet. SET
was not itself a payment system, but rather a set of security protocols and formats that
enabled users to employ the existing credit card payment infrastructure on an open
network in a secure fashion. However, it failed to gain attraction in the market. VISA
now promotes the 3-D Secure scheme.
To meet the business requirements, SET incorporates the following features:
Confidentiality of information
Integrity of data
Cardholder account authentication
Merchant authentication
A SET system includes the following participants:
Cardholder
Merchant
Issuer
Acquirer
Payment gateway
Certification authority
How it Works
Both cardholders and merchants must register with CA (certificate authority) first, before
they can buy or sell on the Internet. Once registration is done, cardholder and merchant
can start to do transactions, which involve 9 basic steps in this protocol, which is
simplified.
1. Customer browses website and decides on what to purchase
2. Customer sends order and payment information, which includes 2 parts in one
message:
a. Purchase Order – this part is for merchant b. Card Information – this part is for
merchant’s bank only.
1. Merchant forwards card information (part b) to their bank
2. Merchant’s bank checks with Issuer for payment authorization
3. Issuer send authorization to Merchant’s bank
4. Merchant’s bank send authorization to merchant
5. Merchant completes the order and sends confirmation to the customer
CMS COLLEGE OF SCIENCE & COMMERCE, COIMBATORE-49(AUTONOMOUS)
SCHOOL OF COMMERCE
MODEL EXAMINATIONS, OCTOBER - 2016E- BANKING
SECTION – A (4 X 1 = 4)(Answer all the questions)
1. E-Bankinga) Email banking b) electronic banking c) Easy Banking d)Elagant banking
2. A _______usually contains an embedded 8-bit microprocessora) sim card b) smart card c) pan card d) credit card
3. Online banking also known as _________.a)Internet Banking b) Intranet Banking c) VAN d) None
4. Abbreviate SET.a) Secure Ecommerce Transaction b) Secure Electronic Transactionc) Security Electronic Transaction d) None of the above.
SECTION – B (3 X 4 = 12)(Answer any three questions)
5. Define E-Banking6. What is the use of E-Cheque7. Explain MICR8. Write about Cyber Crime with examples.9. Describe the importance of E-Locking Services.
SECTION – C (3 X 8 = 24)(Answer any three questions)
10. Difference between Traditional Banking and E-Banking11.Explain ATM in detail12. Explain E-Banking Transactions.13. Write in detail about E-Banking Security.14. What is meant by E- Builder? Explain.
****All the best****